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* NOTICES * 

JPO and INPIT are not responsible for any 
damages caused by the use of this translation. 

1. This document has been translated by computer. So the translation may not reflect the original 
precisely. 

2. **** shows the word which can not be translated. 
3.1n the drawings, any words are not translated. 



CLAIMS 



[Claim(s)] 

1. it is the method of detecting a virus in a broad view in a computer system containing a 
processor and a storage device — with a process in which comparison data including information 
for virus detection is obtained. A method including a process in which a broad view is read, a 
process in which said broad view is decrypted so that a decrypted broad view may be produced, 
and a process in which said decrypted broad view is scanned about a virus by comparing said 
decrypted broad view with said comparison data. 

2. Method according to claim 1 of including further process in which said virus is removed from 
said broad view so that broad view taken a measure may be produced, when process in which 
said decrypted broad view is scanned shows contamination by said the macroscopic virus. 

3. Process in which process in which said broad view is read judges whether object file is 
template file, A method according to claim 1 including a process in which it is judged whether the 
object file embeds and a broad view is included when said object file is not a template file, and a 
process in which position specification of said embedding broad view is carried out when said 
object file contains a template file. 

4. Way according to claim 1 said comparison data contains the 1st suspicion command identifier 
and the 2nd suspicion command identifier. 

A method comprising according to claim 4: 

5. A process in which said decrypted data is scanned about said virus, A process in which it is 
judged whether said decrypted broad view contains the 1st portion corresponding to said 1st 
suspicion command identifier 

A process in which it is judged whether said decrypted broad view contains the 2nd portion 
corresponding to said 2nd suspicion command identifier. 

A process judged as said decrypted broad view including said virus when said decrypted broad 
view contains said 1st and 2nd portions. 

6. Way according to claim 5 said 1st suspicion command identifier detects macro virus enabling- 
ized command. 

7. Way according to claim 6 said 2nd suspicion command identifier detects macro virus duplicate 
commands. 

A method comprising according to claim 2: 

8. A process in which said virus is removed, A process in which position specification of the 1st 
macroinstruction corresponding to said 1st suspicion command identifier is carried out in said 
decrypted broad view 

A process in which said 1 st suspicion macroinstruction is removed. 

9. Method according to claim 8 of including further process in which said macroscopic absolutely 
perfect nature with which it dealt is verified, and process in which said contamination broad view 
in object file is replaced by restored broad view according to said macroscopic absolutely perfect 
nature verification with which it dealt. 

10. A way according to claim 8 a process in which said 1st suspicion macroinstruction is 
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removed includes a process in which said 1st suspicion command is replaced by non-polluting 
command. 

A method comprising according to claim 8: 

1 1 . A process in which said virus is removed, A process in which position specification of the 2nd 
suspicion macroinstruction corresponding to said 2nd suspicion command identifier is carried out 
in said decrypted broad view 

A process in which said 2nd suspicion macroinstruction is removed from said decrypted broad 
view so that a broad view taken a measure may be produced. 

12. A way according to claim 1 said comparison data contains two or more suspicion command 
identifier groups. 

13. The 1st suspicion command identifier group is string 73 CB 00. 0C6C01 00 and 67C2 A 
method according to claim 1 2 containing 80. 

14. The 2nd suspicion command identifier group is string 73 CB 00. 0C6C01 00 and 64 6F 02 67 
DE00 73 87 01 12 73 7F is included, The 3rd suspicion command identifier group is string 73 CB 
00. 0C6C01 00 and 6D61 63 72 6F 7376 08 is included, The 4th suspicion command identifier 
group is the string 12. 6C01 00 and 64 67C2 80 6A0F 47 are included, The 5th suspicion 
command identifier group is the string 79. 7C66 6F 72 6D61 74 20 63 6A and 80 05 Six A07 43 A 
method according to claim 13 containing 4F 4D. 

A method characterized by comprising the following of detecting a virus in macro in a computer 
system containing 15. processor and a storage device. 
A macro reading **** process. 

A process in which comparison data for detecting a virus is obtained including the 1st suspicion 
command identifier and the 2nd suspicion command identifier. 

A process in which said broad view is scanned so that it may judge whether said broad view 
contains the 1st portion corresponding to said 1st suspicion command identifier. 
A process in which said broad view is scanned so that it may judge whether said broad view 
contains the 2nd portion corresponding to said 2nd suspicion command identifier, A process 
judged as said broad view having been polluted with said virus when said broad view contained 
said 1st and 2nd portions 

16. A method according to claim 15 of including further a process in which it deals with said 
broad view so that a broad view taken a measure may be produced, when judged with said broad 
view containing said 1st and 2nd portions. 

A method comprising according to claim 16: 

17. A process in which it deals with said broad view, A process in which position specification of 
the 1st macroinstruction corresponding to said 1st suspicion command identifier is carried out in 
said contamination broad view 

A process in which said 1st macroinstruction is removed from said contamination broad view so 
that said contamination broad view may be restored. 

A method comprising according to claim 1 7: 

18. A process in which it deals with said broad view, A process in which position specification of 
the 2nd macroinstruction corresponding to said 2nd suspicion command identifier is carried out 
in said contamination broad view 

A process in which said 2nd macroinstruction is removed from said contamination broad view so 
that said contamination broad view may be restored. 

A method comprising according to claim 15: 

19. A process in which said broad view is read, A process in which an object file is accessed 
A process in which it is judged whether said object file is a template file. 

A process in which it is judged whether the file embeds and a broad view is included when the 
file is a template file. 

A process in which position specification of the embedding broad view is carried out when the 
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file embeds and a broad view is included. 

20. Said 1st suspicion command identifier is string 73 CB 00. 0C6C01 00 is included and said 2nd 
suspicion command identifier is the string 67C2. A method according to claim 15 containing 80. 

21. A way according to claim 15 said comparison data contains two or more suspicion command 
identifiers. 

22. The 1st suspicion command identifier group is string 73 CB 00. 0C6C01 and 67C2 82 is 
included, The 2nd suspicion command identifier group is string 73 CB00. 0C6C01 00 and 64 6F 
02 67 DE 00 73 87 01 12 73 7F is included, The 3rd suspicion command identifier group is string 
73 CB 00. 0C6C01 00 and 6D61 63 72 6F 73 76 08 is included. The 4th suspicion command 
identifier group is the string 12. 6C01 00 and 64 67C2 80 6A OF 47 are included, The 5th 
suspicion command identifier group is the string 79. 7C66 6F 72 6D61 74 20 63 6A and 80 05 Six 
A07 43 A method according to claim 21 containing 4F 4D. 

23. A process in which an object file is accessed, and a process in which position specification of 
said broad view is carried out in said object file, A method according to claim 15 of including 
further a process in which said broad view is removed from said object file, and a process in 
which said broad view with which it dealt is added to said object file so that a restored file may 
be produced. 

A device which detects a virus in 24. broad view characterized by comprising the following. 
A virus information module which accumulates comparison data for detecting a virus including 
the 1st suspicion command identifier and the 2nd suspicion command identifier. 
A macro virus scanning module which scans said broad view so that it may judge whether said 
broad view contains the 1st portion corresponding to said 1st suspicion command identifier, and 
the 2nd portion corresponding to said 2nd suspicion command identifier, while carrying out signal 
transfer to said virus information module and receiving said comparison data. 

25. Carry out signal transfer to said macro virus scanning module, and an object file is accessed, 
The device according to claim 24 which contains further macro position specification and a 
decryption module which decrypt the broad view so that it may judge whether the object file is a 
template file, it may judge whether the object file embeds and a broad view is included and a 
decrypted broad view may be produced. 

26. Signal transfer is carried out to said virus information module, The device according to claim 
25 which contains further a macro treatment module which accesses said decrypted broad view, 
removes the 1st macroinstruction corresponding to said 1st suspicion command identifier, and 
the 2nd macroinstruction corresponding to said 2nd suspicion command identifier, and produces 
a broad view taken a measure. 

27. Signal transfer is carried out to said macroscopic treatment module, The device according to 
claim 26 which contains further a file correction module which accesses said object file, removes 
the broad view for a broad view from an object file of position specification Perilla frutescens (L) 
Britton var. crispa (Thunb.) Decne. in said object file, adds said broad view taken a measure to 
said object file, and produces a corrected file. 

28. Said 1st command identifier is string 73 CB 00. 0C6C01 00 is included and said 2nd command 
identifier is the string 67C2. A method according to claim 27 containing 80. 

29. A way according to claim 27 said comparison data contains two or more suspicion command 
identifier groups. 

30. The 1st suspicion command identifier group is string 73 CB 00. 0C6C01 00 and 67C2 82 is 
included, The 2nd suspicion command identifier group is string 73 CB 00. 0C6C01 00 and 64 6F 
02 67 DE 00 7387 01 12 73 7F is included, The 3rd suspicion command identifier group is string 
73 CB 00. 0C6C01 00 and 6D61 63 72 6F 73 76 08 is included, The 4th suspicion command 
identifier group is the string 12. 6C01 00 and 64 67C2 80 6A OF 47 are included, The 5th 
suspicion command identifier group is the string 79. 7C66 6F 72 6D61 74 20 63 6A and 80 05 Six 
A07 43 A method according to claim 29 containing 4F 4D. 

A device which detects a virus in 31. broad view characterized by comprising the following. 

A means to obtain comparison data containing the 1st suspicion command identifier and the 2nd 
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suspicion command identifier to virus detection. 

A means to scan said broad view so that it may judge whether a broad view contains the 1st 
portion corresponding to said 1st suspicion command identifier. 

A means to scan said broad view so that it may judge whether a broad view contains the 2nd 
portion corresponding to said 2nd suspicion command identifier. 

A means to judge with said broad view being polluted by virus when said 1st and 2nd portions are 
included. 

32. A means which carries out position specification of the said 1st suspicion command identifier 
and 2nd [ said ] macroinstructions and 2nd macroinstructions respectively corresponding to a 
suspicion command identifier in said broad view, [ 1st ] The device according to claim 31 which 
contains further a means to remove said 1st macroinstruction and said 2nd macroinstruction 
from said broad view so that a broad view taken a measure may be produced. 

33. The device according to claim 32 which contains further a means to judge whether an object 
file is accessed and the object file contains a broad view. 

The device according to claim 33 which contains further a file correction means characterized by 
comprising the following. 

34. A means to access said object file. 

A means to remove said broad view from said object file. 

A means to add said broad view taken a measure to said object file so that a corrected file may 
be produced. 

A system which detects a virus in 35. broad view characterized by comprising the following. 
A storage device which accumulates comparison data for virus detection and a routine 
containing the 1st suspicion command identifier and the 2nd suspicion command identifier. 
A processor which scans said broad view while receiving said comparison data so that it may 
judge whether signal transfer is carried out to said storage device, and said broad view contains 
the 1st portion corresponding to said 1st suspicion command identifier, and the 2nd portion 
corresponding to said 2nd suspicion command identifier. 



[Translation done.] 
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DETAILED DESCRIPTION 



[Detailed Description of the Invention] 

For detection of the virus in macro, and removal A system, a device, and technical field of a 
background invention of a method invention This invention relates to detection and removal of 
the virus in computer filing generally. 

Explanation of a pertinent art The spread of computer applications and expansion of 
communication between an immense number of computers made breadth of computer virus 
remarkably easy, and have promoted. Computer virus is found out by various portions of the 
code embedded into the computer program. If the program infected by a virus is executed, these 
code parts will be activated and harmful operation will be produced depending on the case where 
it does not mean to a computer system. 

Detection of a virus is usually performed using the signature scanning technique. The string or 
signature of the fingerprint EQC usable to virus detection for a known virus became long. In a 
signature scan, it is investigated whether the file sequence which can be performed is scanned 
and the extended string who agrees on a known string as a virus is included. If the above- 
mentioned signature or a string is found out in the file in which the execution is possible, a 
positive virus judging will be performed. Since it is accompanied by matching with a known 
pattern, to the virus as which a pattern is not specified, the signature scanning technique is 
hardly helpful. Especially detection of the kind of strange new virus is completely impossible to 
the signature scanning technique, and sufficient protection cannot be provided against the 
mutation virus which takes various shape and forms intentionally in the case of a duplicate. 
Since the file (for example, file with extension .exe or .com) which can be performed is also 
usually scanned, the virus which is not in these files is not inspected, therefore it is not detected 
in a signature scan. 

Many application programs are supporting the macroscopic use for automatic execution of a long 
sequence of operation or a repetitive sequence. A broad view is the command of series, such as 
menu selection, the bottom of a key press, and a command that is accumulated and receives 
assignment of a name or a key. With an application program, a broad view answers the call of the 
push down of a key, or a macro name, and can be started. It is embedded at the application data 
file and there is also a broad view which stops at the state where it hid from the user. A broad 
view can be automatically performed without the input from a user. 

That is, the broad view which does not need to be known by the user and does not need start up 
by a user can reside in files, such as an application data file, permanently. 

A certain kind of virus resides permanently macroscopically, and performs unexpected harmful 
operation using a macroinstruction. Those viruses are called macro virus. Since one problem of 
macro virus does not usually reside in the file which can be performed permanently, it is avoiding 
the file scanner which can be performed. Since macro virus is hidden into files, such as an 
application data file, or it may be embedded, detection is escaped. Since the computer user who 
knows how to use a macro program declinable word word reaches a large number, the number 
and diversity of macro virus are very large. Therefore, even if it uses the signature scanning 
technique for detection of the virus in a broad view, since there is much strange macro virus, it 
is ineffective. Even if it is able to use a comprehensive signature scanner, since generating of 
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new strange macro virus continues, the scanner obsoletes immediately. 
The conventional virus removing technique is also insufficient for the treatment of a virus 
infection broad view. The technique of these common use searches for a specific known virus, 
and applies the specific correction technique according to the specific virus detected by the 
search. There is no effect in the treatment of a virus infection broad view not much for immense 
**** of macro virus with the strange correction technique. Even if it detects a strange broad 
view, it does not become an effective solution only by eliminating the file of virus infection 
macroscopic content. It is because the normal operation which a user wants to hold is included 
in the virus infection broad view in many cases. Therefore, it is necessary to remove a virus, 
especially a strange virus from a broad view selectively, and to produce a corrected file without 
usable infection after that. 

Another problem is always changing a virus and information required for detection of these 
viruses. Therefore, the easy virus detection method and virus detection device of renewal of 
virus detection information are required. Especially changeable strange macro virus detection 
information is easily required. 

The virus which resides permanently macroscopically needs to be detected as above-mentioned. 
It is necessary to detect strange macro virus, to defecate macro virus selectively, and to update 
macro virus detection information simple. 

Outline of an invention This invention cancels restrictions of conventional technology and a fault 
by the system, device, and method of detecting and removing a virus from a broad view. 
According to this invention, a macro virus detecting module contains macro position specification 
and a decryption module, a macro virus scanning module, a macro treatment module, a virus 
information module, a file correction module, and a data buffer. According to configuration setting 
out of a macro virus detecting module, one file is set as the object of virus detection, and it 
copies to a data buffer, and prepares for analysis. The file is examined by macro position 
specification and a decryption module, and it is judged whether it is a template file. When it 
judges with a template file, position specification of all the broad views in the template file is 
carried out, and they are decrypted. When an object file is not a template file, the object file is 
investigated by macro position specification and a decryption module, and it judges whether an 
embedding broad view is included, and decrypts by performing the position specification. The 
decrypted broad view is accumulated in a data buffer. 

Signal transfer of the macro scanning module is carried out to this macro position specification, 
a decryption module, and a data buffer, therefore it accesses a decrypted broad view, and 
prepares for a virus scan. Signal transfer of the macro virus scanning module is carried out also 
to a macro virus information module. A macro virus information module includes the information 
which a macro virus scanning module uses for detection of the known and strange virus in 
macro. The broad view decrypted [ above-mentioned ] is first scanned for search of a known 
virus. 

When a known virus is detected, the decrypted broad view is displayed with the flag of infection. 
The information which relates the decrypted broad view, its flag, and its decrypted broad view 
with the known broad view detected in macro [ the ] is accumulated in a data buffer. With a 
macro treatment module and a file correction module, it deals with the file in which an infection 
broad view and its infection broad view reside permanently as above-mentioned appropriately, 
and it is corrected. 

When a known virus is not detected, a macro virus scanning module judges whether a virus with 
a strange decrypted broad view contains. A macro virus scanning module detects strange macro 
virus using the comparison data accumulated into the virus information module. This comparison 
data includes the information used for detection of suspicion instruction set doubling in macro. 
The good example of the group of comparison data contains the 1 st and 2nd suspicion command 
specific codes. They 1st and the 2nd suspicion command judge with the broad view including a 
virus, as for a macro virus scanning module, when both are contained macroscopically. When a 
strange virus is detected, according to the group of the suspicion command specific code led to 
detection of the strange virus, the broad view is indicated by a flag with a contamination broad 
view. The information led to clear detection as well as the case of detection of a known virus is 
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accumulated in a data buffer with a contamination broad view, and a macro treatment module 
and a file correction module deal with a contamination broad view appropriately, and correct it. 
Since it searches not for the signature of the shape of a specific sequence but for suspicion 
instruction set doubling, a strange virus is detected with a macro virus scanning module. Since 
the information for detection of a known virus and a strange virus resides in another module 
permanently, it is updated easily. 

Signal transfer of the macro treatment module is carried out to a macro virus scanning module 
and a data buffer, and it acquires detection virus-related information by it. A macro treatment 
module removes a virus from a broad view, generates a defecated broad view or a virus removing 
finishing broad view, and enables it to repair or correct the file of contamination macroscopic 
content by a file treatment module. It is judged whether a macro treatment module accesses the 
decrypted broad view in a data buffer, and has the flag display of contamination by a known 
virus. When there is a flag display of the contamination according to a known virus 
macroscopically, the known virus is removed from the broad view. When the broad view is not 
polluted by the known virus, a macro treatment module deals with a broad view using the group 
of the command specific code for detection of the strange virus in macro. This macro treatment 
module is decoded from a macro virus scanning module and a data buffer. 
The information about existence of a ** finishing broad view and a virus is received. Position 
specification of the suspicion command in a decrypted broad view is specified and carried out 
using a command specific code, next, finishing [ a suspicion command is removed from a 
contamination broad view, and / defecation ] by replacing with an uninfected command 
preferably — or the broad view [ finishing / virus removing ] taken a measure is produced. This 
broad view taken a measure is accumulated in a data buffer, and prepares for access by a file 
correction module. Finishing treatment [ this ] macroscopic absolutely perfect nature is 
inspected, and that validity is indicated by a flag according to an inspection result. When 
macroscopic absolutely perfect nature is completion of macro treatment and it is maintained, an 
effective flag indication is given. When absolutely perfect nature is not maintained, it does not 
indicate by a flag. 

Signal transfer of the file correction module is carried out to macro position specification and a 
decryption module, a macro virus scanning module, a macro treatment module, a data buffer, and 
a virus information module. The broad view taken a measure and the information about the 
object file of contamination macroscopic content receive access within a data buffer. A file 
correction module accesses the object file of the form of a basis, and accumulates the copy of 
an object file in a data buffer. The copy of an object file contains a contamination broad view. 
When there is no macro validity flag display, it does not carry out using the broad view taken a 
measure for contamination macro replacement, The corrective action of substitution, such as 
object file elimination, is made to perform, and a notice to the user of the existence of a 
contamination macroscopic content file or removal of the contamination file from an object file, 
and the object file to a macro-less version are replaced. An object file is corrected when there 
is a flag display of macro validity, and a file correction module replaces a contamination broad 
view by the broad view taken a measure. In order to replace a contamination broad view, a file 
correction module carries out position specification of the contamination broad view, and 
removes it from an object file, and the version of an object file without [ the ] a broad view is 
accumulated in a data buffer. Next, the broad view taken a measure is added to the version of an 
object file without [ said ] a broad view, and a corrected file is produced. This corrected file is 
used for the substitution of an object file (position of a basis). Therefore, a strange virus is 
removed from a broad view, and the file containing such a broad view is corrected so that a right 
function may be held. 

Brief explanation of the drawings The detailed specific features other than the above of this 
invention and the above are indicated in detail by the next explanation which referred to the 
accompanying drawing. 

Drawing 1 is a block diagram illustrating the computer system containing the macro virus sensing 
device by this invention. 

Drawing 2 is a block diagram illustrating desirable working example of the storage device by this 
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invention. 

Drawing 3 is a block diagram illustrating desirable working example of the macro virus detecting 
module by this invention. 

Drawing 4 is a flow chart illustrating the macro virus detection and the correcting method by this 
invention. 

Drawing 5 is a flow chart illustrating the macroscopic position specification and decoding method 
by this invention. 

Drawing 6 is a flow chart illustrating the macroscopic scan method for virus search by this 
invention. 

Drawing 7 is a flow chart illustrating the macro treating method by this invention. 

Drawing 8 is a flow chart illustrating the file correction method by this invention. 

Drawing 9 is a table including the good example of the group of the comparison data used for 

detection of macro virus. 

When the detailed explanatory view 1 of an invention is referred to, the computer system 100 
constituted by this invention contains the central processing unit (CPU) 104, the display 102, the 
storage device 106, the input device 108, the data accumulation device 110, and the 
communication unit 112. CPU104 is a phon like [ in the case of a personal computer]. J. von 
Neumann It connects with the display 102, the storage device 106, the input device 108, the data 
accumulation device 110, and the communication unit 112 by bus 114 by the conventional 
architecture, such as the architecture. Microprocessors, such as Pentium by which CPU 104 is 
marketed from Intel of Santa Clara, California, The display 102 a video monitor and the storage 
device 106 Random access memory (RAM), As for a keyboard and a mouse, and the data 
accumulation device 1 10, it is [ the input device 108 ] preferred to constitute a hard disk drive 
and the communication unit 112 from devices, such as a modem which makes signal transfer 
with other systems easy, respectively. 

Various computer system configuration other than the above is available, and it is not restrained 
by any of these composition this invention uses. For example, the processor of the substitution 
marketed from Motorola can be used for CPU 104, and the storage device 106 can also consist of 
combination of a read only memory (ROM), or RAM and ROM. The system 100 is also 
connectable with other computer systems by passing a network interface (not shown). Please 
understand the computer system 100 to be what is not hindered by the mini-computer or a 
mainframe computer, either. 

According to the command constituted by this invention from the memory 106, CPU 104, The 
signal for the macro position specification for judgment of access to computer filing, the 
judgment of whether these files contain a broad view, and the existence of a strange virus 
content virus, a macro scan, and the corrective action in the case of virus detection is supplied. 
Reference of drawing 2 has shown desirable working example of the storage device 106 
constituted according to this invention more to details. The storage device 106 is accumulating 
the operating system 102, the application program 204, and the macro virus detecting module 
206. 

As for the operating system 202, it is preferred to be a thing of common use for [, such as 
WINDOWS 3.1 marketed from Microsoft Corp. of Redmond, Washington, ] personal computers, 
and to constitute. The arbitrary things of various application programs, such as word processing, 
a spreadsheet and drawing, can be accumulated in the storage device 106. For example, 
Microsoft WORD can be accumulated as application for word processing, and Microsoft Excel 
can be accumulated in the storage device 106 as spreadsheet application, respectively. The 
application program 204 usually creates an application data file. For example, WORD generates 
the data file which has ordinary file extension .DOC. The usual application program 204 contains 
the broad view which makes sequential operation possible without the typematic from a user. 
Various commands, such as a thing for operation of key press lowering etc. opening, copying and 
eliminating the thing for simple operation and a file relatively, are included in a conventional 
broad view. An operating system (or DOS-SHELL) may be called so that a macroinstruction may 
execute the command of low ranks, such as FORMAT. The macroscopic command to be used 
usually becomes settled with the application program 204 which supports a macro program 
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declinable word word. For example, the broad view for a WORD file is written using a WordBasic 
programming language. 

The various operating systems 202, such as OS/2 marketed from IBM, can also be alternatively 
used for this invention. The various application programs 204 can also be used. Although 
detection of the macro virus which uses the WordBasic command for a WORD application data 
file is indicated at a part of working example of this invention, It will be understood by the person 
skilled in the art that this invention can apply also to the operating system 202 of the above 
substitution and the substitute application program 204. 

The macro virus detecting module 206 contains the routine for correction of the macroscopic 
treatment and the contamination macroscopic content file which were judged to be the 
macroscopic scan and virus content for access to a file, the judgment of whether these files 
contain a broad view, and the judgment of the existence of virus content. The macro virus 
detecting module 206 cooperates with the operating system 202 and the application program 
204, and operates. Although the macro virus detecting module 206 is usually formed into real ** 
by software, it can carry out [ real ** ]-izing also with hardware or firmware. Although it is 
preferred that it is different from the operating system 202 and the application program 204 as a 
graphic display as for the macro virus detecting module 206, A macro virus detecting module can 
be united with the operating system 202 or the application program 204, and the same virus 
detection corrective action can be carried out. 

When drawing 3 is referred to, desirable working example of the macro virus detecting module 
206 contains macro position specification and the decryption module 302, the macro virus 
scanning module 304, the macro treatment module 306, and the file correction module 310. In 
addition to these, the comparison data for the treatment of the virus information module 308 of 
the virus detection in macro and a virus contamination broad view is supplied, and the data 
buffer 312 accumulates the information for macro virus detection correction. Although illustrated 
considering the data buffer 312 as a single module including some accumulation positions, two or 
more individual data buffers can also be used for the various functions of this data buffer 312. 
The macro virus detecting module 206 accesses an object file, and judges the existence of 
macro content. Access to a file is influenced by configuration setting out of the module 302 
which the user set up or determined beforehand. For example, a user may be aimed only at a file 
single for analysis. It can be aimed at file groups, such as a file corresponding to the selected 
application program 204, or can also be aimed at all the files in the selected directory or a 
storage region. File analysis can be started with various phenomena. For example, the user can 
start a virus scan, analysis can be started when [ arbitrary ] a certain application file is opened, 
and complete analysis can also be planned for every n boot rises of the system 100, or every 
specified time interval. As for macro position specification and the decryption module 302, it is 
preferred to constitute so that the arbitrary files which may contain macro virus are accessed, 
and access to these files may be performed before starting of an application program (i.e., before 
opening an application data file). It is because operates with starting of a related application 
program, therefore some macro virus requires the detection before the scanning start up by a 
user. 

Each of an object file is accessed with the macro virus detecting module 206, and is 
accumulated in analysis at the data buffer 312. In order to understand easily, analysis of a single 
file is explained in relation to the specific function of many modules 302, 304, 306, 308, 310, and 
312, but this invention can also analyze some files in concurrency or sequentially. 
Macro position specification and the decryption module 302 investigate an object file for the 
judgment of the existence of the judgment of being a macro content type thing, and embedding 
macroscopic [ these files ] content, within an object file, carry out position specification of the 
broad view, and decrypt it. 

carrying out signal transfer of this macro position specification and the decryption module 302 to 
the data buffer 312 — the analysis to an object file sake — accessing . A broad view is found 
out by the template file and embedded at an application data file. Macro position specification 
and the decryption module 302 judge first whether an object file is a template file. This judgment 
is performed by checking an extension. For example, if the file is WORD application program 204 
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relation, a file will be checked about extension .DOT. This .DOT extension shows that a file is a 
template file. 

When not judged with an object file being a template file, the embedding broad view may be 
included. For example, application data files, such as a WORD file with .DOC extension, may 
contain the embedding broad view. It is judged whether macro position specification and the 
decryption module 302 access the object file accumulated in the data buffer 312, the formatting 
embeds, and a broad view is shown. The formatting field is changed in accordance with the rule 
of common use of each application program 204, and is supplied by the manufacturer of the 
application program 204. 

A judgment whether an object file contains a broad view, whether the broad view is embedded, 
whether it has a form of a template file, or it is a file of other forms which can support a broad 
view will carry out position specification of the broad view in an object file. Signal transfer of 
macro position specification and the decryption module 302 is carried out to the operating 
system 202. An operating system contains information shared resources, such as object 
connection embedding (OLE or OLE2) which is provided by WINDOWS 3.1. This information 
shared resource provides the details of file structures, such as an application file, and can be 
made to carry out position specification of the object currently embedded within a file. Although 
an information shared resource command changes according to the operating system 202, 
generally it is a simple command which opens an object and which seeks a specific flow, such as 
writing in by reading to a file. The conventional program technique can be used for working- 
ization of the information shared resource in macroscopic position specification and decryption. 
After macroscopic position specification, macro position specification and the decryption module 
302 decrypt a broad view, and can be made to perform the scan for virus search. The 
information shared resource of the operating system 202 is used for the macroscopic decryption 
to coherent information, and ASCII conversion is used for macroscopic conversion [ finishing 
decryption / to a form suitable for a scan ]. A decrypted broad view is accumulated in the data 
buffer 312. The information which relates a decrypted broad view with the object file of the 
macroscopic extraction origin is accumulated in the data buffer 312. 
Signal transfer of the macro virus scanning module 304 is carried out to macro position 
specification, the decryption module 302, and the data buffer 312, therefore the module 302 
supplies a decrypted broad view to the macro scanning module 304. The desirable method of 
macro position specification and decryption used for this module 302 is explained still in detail 
with reference to drawing 5 . 

The macro virus scanning module 304 contains the routine which scans a decrypted broad view 
based on comparison with a decrypted broad view and the data from the virus information 
module 308 for detection of a known virus and a strange virus. The macro virus scanning module 
304 can be constituted so that many modes of macro virus detection may be provided. For 
example, so that a scanning period can be shortened only the thing of a known form only among 
the specific groups of a virus, i.e., a virus, The composition of being able to constitute so that 
the thing of a dimorphism type may detect only the thing of a strange form, answering detection 
of the beginning of a virus, and emitting an alarm, or making the scan of some object files 
complete before the display of virus detection etc. is also possible. 

The macro virus scanning module 304 accesses the decrypted broad view in the data buffer 312, 
scans the decrypted broad view about a known virus, and when the broad view is not found out, 
it scans the decrypted broad view about a strange virus. When scanning about a known virus, the 
macro virus scanning module 304 uses the signature scanning technique. That is, signal transfer 
of the virus scanning module 304 is carried out to the virus information module 308. The virus 
information module 308 includes the information which detects a known virus. For example, a 
virus information module contains the string of data or a signature who specifies a known virus. 
The virus information module 304 accesses the decrypted broad view in the data buffer 312, 
scans the decrypted broad view, and judges the existence of virus signature content. A state 
machine or the same technique can be used for performing this scan. When a known virus 
signature is found out in macro [ the / decrypted ], The macro virus scanning module 304 
specifies the decrypted broad view with a contamination broad view according to a known virus, 
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The information which relates the decrypted broad view with the known virus in a data buffer is 
accumulated, and other modules, such as the macro treatment module 306, enable it to deal with 
the contamination broad view. 

When a known virus is not detected, a macro scanning module scans about the strange virus in a 
decrypted broad view. The application program 204 includes program language, such as 
WordBasic including the command which a broad view uses for various operations, in many cases 
as above-mentioned. Macro virus uses the various operations and commands which perform 
unnecessary and harmful operation. 

The usual application program 204 supports a broad view by providing a template file with a 
broad view. Word-processing setting out etc. are decorated with a template file, and it includes 
other setting out. A template file may contain a broad view. Usually, a global template file 
provides setting out and a broad view for a data file. For example, about Microsoft WORD, global 
setting out and a macroscopic pool reside in template file NORMAL.DOT permanently. If the 
application program 204 opens a data file, by it, it opens first, and a global template file will load 
global setting out and a broad view, and will open a data file after it. The usual data file is 
formatted so that the application program 204 which does not contain an embedding broad view 
may be expressed. However, a data file can also be formatted so that it may display that a 
template file is not included on the application program 204. 

A certain kind of macro virus saves the polluted document file in a template format, and a 
document file or a data file extension (.DOC) is saved, not eliminated. Therefore, a contamination 
broad view may be embedded into the document of an appearance top application data file. A 
broad view is contained in the kind of broad view so that a broad view may be performed, when 
"AutoOpen", "AutoExec", "AutoClose", etc. is opened [ a data file ]. Therefore, when he does 
so, he makes an embedding broad view automatically performed, although the user can try to 
open what is visible to the usual data file. Macro virus also produces a duplicate in other files. 
For example, copying oneself into a data file and maintaining the usual file extension child to the 
data file, macro virus has often formatted the data file so that a template format may be 
displayed. 

The file polluted by macro virus will be able to change the format, or is saved by macro virus 
with the format information whose polluted data file has updated. When the polluted broad view 
is copied to a global template and other files are opened as a result, it may spread in a file 
besides them. 

The macro virus scanning module 304 contains the high macroinstruction combination of a 
possibility of being used for macro virus, and the routine which will detect suspicion command 
combination if it puts in another way. One combination of the suspicion command which the 
macro virus scanning module 304 detects is the McCloy navel orange-ized command and a 
macro duplicate command. The McCloy navel orange-ized command is a command which can be 
set up as formatting of a file displays the macroscopic content file for execution. For example, it 
can carry out so that a template file may be performed with the application program 204 and a 
template file may be displayed, when a file is opened [ setting out / of file formatting ]. Macro 
duplicate commands are commands which enable the duplicate of macro virus. The combination 
of the McCloy navel orange-ized command and macro duplicate commands displays macro virus. 
That is, it is because such a command enables the macroscopic duplicate and execution in a 
precedence file, and these constitute two usual features of macro virus. 
Since it specifies suspicion instruction set doubling, the macro virus scanning module 304 
accesses the comparison data from the virus information module 308. This comparison data 
contains the command identifier group for the specification of suspicion instruction set doubling 
in a decrypted broad view. The good example of these command identifier group contains the 1st 
and 2nd suspicion command identifiers. A command identifier is a string of an advance to second 
base, and a macroscopic scan [ finishing decryption ] is performed so that it may judge whether 
these broad views contain the string of these advances to second base, i.e., a suspicion 
command. When judged with a broad view including suspicion instruction set doubling [ which the 
group of the command identifier defined ], the broad view judges with being polluted with the 
strange virus corresponding to the data group. The macro virus scanning module 304 indicates 
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the decrypted broad view by a flag with the contamination broad view by a strange virus. The 
information related with the command identifier which led the decrypted broad view to the 
strange virus detection in the data buffer 312 is accumulated, and other modules, such as the 
macro treatment module 306, enable it to deal with a contamination broad view as they thinks 
best. With reference to drawing 6 , it explains further instruction set setting commands of 
suspicion instruction set doubling [ which the macro virus scanning module 304 detected ] and, 
i.e., the formation of macro virus enabling, and a macro virus duplicate etc. in full detail. 
As for the virus information module 308, it is preferred to dissociate from other modules 302, 
304, 306, 310, and 312 in the macro virus detecting module 206. By it, renewal of the information 
for macro virus detection becomes easy. For example, the virus information 308 can be updated 
by copying the new information acquired from media, such as a floppy disk. New information is 
also downloadable from the Internet resource accessed via the communication unit 1 12 course 
of the computer system 100, or the network link (not shown). Protection of the system 100 to 
the virus which Information Transfer Sub-Division becomes easier with the separated virus 
information module 308, and updating also becomes easy, therefore includes a strange virus is 
strengthened. 

Signal transfer of the macro treatment module 306 is carried out to the data buffer 312 and the 
macro virus scanning module 304, therefore it receives the information about detection of the 
virus in the decrypted broad view from an object file. The routine of the finishing [ the macro 
treatment module 306 ] decryption [ forjudging whether the macro virus scanning module 304 
detected a known or strange virus in the decrypted broad view ] macroscopic check of a state, 
The routine which removes macro virus from a decrypted broad view, and the routine which 
verifies finishing treatment macroscopic absolutely perfect nature are included. 
The macro treatment module 306 accesses the decrypted broad view in the data buffer 312, and 
checks a finishing decryption macroscopic state, and it is judged whether the macro virus 
scanning module 304 detected a known virus. The macroscopic state is expressed with 
information, including status flags etc., within the data buffer 312. The data buffer 312 is 
accumulating the information which relates a decrypted broad view with the virus of the known 
contained macroscopically. This information is supplied from the macro virus scanning module 
304 as above-mentioned. The suitable information for the macro virus scanning module 304 can 
be accumulated, and signal transfer can also be directly carried out to the macro treatment 
module 306. 

When the known virus decision flag is displayed, a macro treatment module is decoded. 
The known virus pertinent information for removing the known broad view from a ** finishing 
broad view is used. Known macro virus is selectively removed from a decrypted broad view, it 
replaces by non-polluting command, and it is preferred that the portion of the macroscopic 
emainder holds after it for operation. The broad view taken a measure is accumulated in 
distinction from the inside of the data buffer 312 with the macro treatment module 306. Next, 
finishing treatment macroscopic absolutely perfect nature is checked by a macro treatment 
module, and when absolutely perfect nature is maintained, it indicates to it being effective in the 
broad view taken a measure by a flag. When finishing treatment macroscopic absolutely perfect 
nature is not maintained, it is displayed that the broad view taken a measure is invalid. The 
check of whether a command of the emainder is unhurt and serial connection of a command 
perform the check of macroscopic absolutely perfect nature by the check of whether to have 
stopped at the unhurt state. Verification of macroscopic absolutely perfect nature makes it 
possible to opt for alternative treatment, like other modules, such as the file correction module 
310, replace or stop a contamination broad view from an object file on the broad view taken a 
measure to carry out contamination macroscopic elimination. 

When a virus with the strange macro virus scanning module 304 is detected, the macro 
treatment module 306 deals with the broad view so that the influence of the strange virus may 
be removed. Like a known virus treatment protocol, when signal transfer of the macro treatment 
module 306 is carried out to the data buffer 312, and the existence of detection of a strange 
virus is judged and is judged to be owner **, it specifies the command identifier led to the 
judgment with a virus. The group of the suspicion command identifier led to detection of the 
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strange virus in a broad view is used for the macroscopic correction. Each command identifier is 
related with one or more suspicion commands so that discernment of each command and 
removal from a broad view may be enabled. The macro treatment module 306 for virus correction 
decrypts a broad view, and equips correction with it, or accesses a decrypted broad view with 
the macro virus scanning module 304. It is preferred to remove a suspicion command from a 
decryption broad view also here, and to replace by non-polluting command. The broad view taken 
a measure is accumulated in the data buffer 312, and prepares for access by other modules, 
such as the file correction module 310. Like the above-mentioned virus treatment protocol for 
known, finishing treatment macroscopic absolutely perfect nature is verified, and an appropriate 
flag display is stood to the broad view. A suitable macro treatment routine is stated more to 
details with reference to drawing 7 . 

Signal transfer of the file correction module 310 is carried out to a module besides the data 
buffer 312 and the macro treatment module 306, and it receives the information about the virus 
detected on the broad view from an object file through the signal transfer. The file correction 
module 310 contains the routine for treatment operation when there is a display of a 
contamination file. The routine in the macro treatment module 306 can be constituted so that 
automatic or treatment operations various [ time of user permission ] may be performed. For 
example, the file correction module 310 can copy the object file of contamination macroscopic 
content, can be replaced as and it is macroscopic, and it can replace an object file without a 
notice to a user as finishing [ correction ]. [ the contamination macroscopic treatment ] The file 
correction module 310 can also be constituted so that the prompt which asks a user the 
propriety of advance in many stages of a corrective action may be produced. Of course, this 
operation is performed to a dialogue using the input device 108 and the display 102 of the 
computer system 100. For example, the file correction module 310 displays on a user that a virus 
of a certain kind or strange virus was detected in the broad view from an object file. Next, a user 
receives an inquiry whether it desires to replace an object file by a corrected file. It will be 
understood by the person skilled in the art that the method of the composition of the file 
correction module 310 and the method of the PURONTO display in many stages are various. 
Signal transfer of the file correction module 310 is carried out to the data buffer 312, and it 
displays the object file of contamination macroscopic content by it. The file correction module 
310 accesses the object file of contamination macroscopic content, and accumulates the copy 
of the object file in the data buffer 312 for correction of the file. As having mentioned above 
about macro positron specification and the decryption module 302, the macro virus scanning 
module 304, and the macro treatment module 306, The data buffer 312 is accumulating the 
information about the relation between an object file and the broad view taken a measure, 
finishing treatment [ the ] macroscopic effective invalidity, etc., and the information about the 
kind of detection virus. The file correction module 310 checks the macro validity flag in the data 
buffer 312, and it is judged whether maintenance of finishing [ of the detection virus by the 
macro treatment module 306 / removal and treatment ] macroscopic absolutely perfect nature 
was possible. It corrects, when finishing treatment macroscopic absolutely perfect nature is not 
maintained, and the file correction module 310 replaces the object file in the data buffer 312 as 
and it is macroscopic. [ treatment of the contamination broad view in it ] Position specification 
of the virus contamination broad view is first carried out in a contamination file. Signal transfer 
with macro position specification and the decryption module 302 can perform this operation, The 
module 302 and the file correction module 310 which can access the information shared 
resource of the operating system 202 similarly for macro position specification can also perform 
independently. The copy of the object file which received contamination is accumulated in the 
data buffer 312. Next, the broad view taken a measure is added to the version of an object file 
without [ the ] a broad view, and a corrected file is produced. 

This corrected file is used for the substitution to the object file of the original position. This is 
the technique of replacing an object file directly by a corrected file. Alternatively, an object file 
can be eliminated or overwritten and a corrected file can also be accumulated in another 
position. 

As for the broad view corresponding to the object file by which it was indicated by the flag with 
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invalidity taken a measure, it is preferred not to use for substitution with a contamination broad 
view. In that case, the file correction module 310 can perform various alternative corrective 
actions. For example, a user can be told about the object file including a virus, and a 
contamination broad view can be removed without substitution from a contamination file, or an 
object file can be removed. 

Reference of drawing 4 has shown the method 400 flow chart which detects the strange virus in 
a broad view. The object file for virus detection is accessed first. An object file is usually in the 
memory 106, these object files are copied to the data buffer 312, and the macro virus detecting 
module 206 enables it to detect and remove macro virus from these object files. Although 
processing is explained in full detail only about one target file, it is possible to access many files 
in this invention and to inspect. The timing and the range of access are influenced by how this 
module 206 is constituted as they were mentioned above in explanation of the macro virus 
detecting module 206. [ file ] That is, various files can be targeted and virus detection can be 
started based on selectable conditions to a user. However, as for the macro virus detecting 
module 206, it is desirable to make it detection and removal of the macro virus which operates 
without the necessity for starting of the application program 204 by application program 204 
starting attained. 

After macro position specification and the decryption module 302 accessing an object file and 
supplying them to a data buffer, they judge the macroscopic existence in the object file, and 
progress to these macroscopic position specification and decryption. The desirable method 500 
of the position specification of a file and decryption is stated more to details with reference to 
drawing 5 . Next, it is judged whether the broad view was found out with position specification and 
the decryption module 302 (440). When judged with a broad view being in an object file (440), a 
broad view is scanned with the macro virus scanning module 304 (600), and it is judged whether 
the broad view is polluted with macro virus. When judged with there being no broad view in an 
object file (440), this macro virus detecting method is ended. The method (600) of a desirable 
scan is stated more to details with reference to drawing 6 . When a virus is detected in a scan 
(460), it deals with a contamination broad view by the macro treatment module 306 (700). When a 
virus is not detected in a scan (460), this virus detection method is ended. The desirable method 
of macro treatment is stated more to details with reference to drawing 7 . A corrective action 
(800) is performed to the polluted object file after macro treatment (700), and the desirable 
method of macro virus detection is ended after it. A desirable correcting method is explained in 
full detail with reference to drawing 8 . 

Reference of drawing 5 has shown the desirable method 500 of the macro position specification 
and decryption by this invention. It can be aimed at various files, such as an application data file 
and a template file. The macro position specification and composite-ized module 302 contains 
the routine which judges the existence of macro content of an object file first by the judgment 
(Step 505) of the affiliation kind of the file. This judgment is performed by checking the file 
extension child of an object file. By the check of an affiliation file type, it can be judged whether 
an object file is a template file. When the file is a template file, macro position specification and 
the decryption module 302 do not need to judge the existence of the embedding broad view in an 
object file. Therefore, when judged with the file being a template file at Step 510, position 
specification of every broad view in the file is carried out (525), it is decrypted (530), and it 
prepares for the scan about the virus by the macro virus scanning module 304. Each decrypted 
broad view is accumulated in the data buffer 312 (535), and prepares for access by the macro 
virus scanning module 304. 

When the file was not a file of the kind which may contain a template file or the other broad view 
and it is judged at Step 510, an object file is investigated and embedded at Step 515, and 
macroscopic existence is judged. When there is no embedding broad view, it judges with an 
object file not containing a broad view at Step 540, and this desirable method is ended. The 
judgment of whether a file embeds and a broad view is included is performed by checking file 
formatting, for example, one format — an application data file — the display of an extension — it 
makes it possible to show that is not concerned with how but a template file is included in the 
application program 204. When the file format expresses template file content, the object file 
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may contain an embedding broad view. A file embeds in Step 520, it judges with there being no 
broad view into an object file in Step 540, when judged with a broad view not being included, and 
this desirable method 500 is ended. 

When the object file did not contain an embedding broad view and it is judged at Step 520, or 
when it is judged with an object file being a macro content template file at Step 510, position 
specification of the broad view is carried out at Step 525, and it decrypts at Step 530. Position 
specification and the decryption module 302 contain the routine using operating system 202 
information shared resources, such as object connection embedding (OLE or OLE2) which is 
provided with WINDOWS 3.1 operating system. As mentioned above about position specification 
and the decryption module 302 an information shared resource, The command which provides 
the details about a file structure, i.e., the details of an application file or a template file, is 
included so that the position specification of an object and decryption which were united with 
the file may be enabled. The conventional program creation technique can be used for working- 
ization of the information shared resource for macro position specification and decryption. After 
carrying out position specification of the broad view and decrypting it, it changes into a binary 
code (for example, ASCII conversion), and in Step 535, it accumulates in the data buffer 312, and 
can be made to perform the scan about a virus. Macro position specification and the decryption 
module 302, The relation between a decrypted broad view and an object file other than 
accumulation of a decryption broad view is maintained and accumulated, The macro virus 
scanning module 304, the macro treatment module 306, and the file correction module 310 can 
be made to perform a right scan and treatment of an object file, and correction. After 
macroscopic decryption and accumulation are completed at Step 535, the method 500 of this 
desirable position specification and decryption is ended. 

Reference of the flow chart of drawing 6 has shown the desirable method 600 of the virus 
detection in macro by this invention. The macro virus scanning module 304 accesses the 
decrypted macro information which position specification and the decryption module 302 provide, 
and contains the routine which detects existence of a virus by comparison with finishing 
decryption macroscopic information and the virus information 308. 

In the 1st step 605, a decryption broad view is scanned about a known virus. In order to scan 
about a known virus, the macro virus scanning module 304 uses the signature scanning 
technique. The macro virus scanning module 304 accesses the decrypted broad view in the data 
buffer 312, and it is judged whether these broad views contain the virus signature which a virus 
information module provides. In Step 610, judge whether a decrypted broad view includes the 
known virus based on the known virus scanning step 605, and in with a known virus, The 
information which a macro virus scanning module indicates the broad view by a flag with those 
with contamination by a known virus in Step 615, and associates the decrypted broad view and 
its known broad view is accumulated in the data buffer 312. 

When it judges with a known virus not having been detected at the scanning step 605 at Step 
610, the macro virus scanning module 304 scans about the strange virus in a decrypted broad 
view. In Step 615, the macro virus scanning module 304 takes in a series of command identifiers 
for detection of a strange virus. The macro scanning module 304 detects the command which is 
likely to be used for macro virus. These commands are also called a suspicion command. The 
specific combination of a suspicion command has a high possibility of being used for macro virus. 
By search of suspicion instruction set doubling, the mistaken virus detection is avoidable. It is 
because a broad view including two mutually different suspicion commands (or more than it) has 
a very high possibility of being polluted. 

Explanation of the macro virus scanning module 304 described, and the usual application program 
204 provides a template file with a broad view. Usually, although an application data file uses a 
global template file, it can also be formatted so that it may be shown that an embedding broad 
view is included. For example, a WORD file can be saved in .DOT format for the display of 
template file content. A contamination document file is made to save in a template format 
(.DOT), and much macro virus makes a document or a data file extension (.DOC) hold, while it 
has been eternal. Therefore, a contamination broad view may be embedded on the document 
which is visible to a mere application data file on appearance. Macro virus makes its own 
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duplicate to other files. For example, macro virus copies itself to a data file, and it formats a data 
file into a template format displaying condition in many cases, maintaining the usual file extension 
child for data files. 

One combination of the suspicion command which the macro scanning module 304 detected is 
the McCloy navel orange-ized command and a macro duplicate command. A macro navel orange- 
ized command formats a file so that it may mean that the file contains the broad view for 
execution. For example, file formatting is set up express a template file, and the application 
program 204 can perform, when a file opens a template file. Macro duplicate commands are 
commands which enable the duplicate of macro virus. The combination of the McCloy navel 
orange-ized command and macro duplicate commands expresses macro virus. It is because two 
the usual features, i.e., the macroscopic duplicate, and execution of the macro virus in a 
precedence file are attained with these commands. 

In specific application files, such as the Microsoft WORD file. If file format field .format is set as 
one, it is judged as that in which the application program 204 (WORD) embeds at a file, and the 
broad view is contained, and by suitable start up, a file will be accessed at arbitrary broad views 
[ finishing / embedding ], and it will be performed. That is, by setting .format as one in a file, the 
macroscopic execution in the file is enabled and it is considered that all commands that ask for 
offer of such setting out by a precedence file are the McCloy navel orange-ized commands. For 
example, since a command "if dlg.format=0, then dlg.format=1 " makes it possible to 
change .format into 1 from 0 by a precedence file, it is the McCloy navel orange-ized command. 
The additional copy of the file is saved in another formats, such as a format which indicates that 
other commands, such as a command "FileSaveAsa$, 1", hold the original file, a file embeds 
them, and a broad view may be included. Therefore, this kind of command is also the McCloy 
navel orange-ized command. The various alternative commands which enable macro virus 
execution in a file will be recognized. 

Macro virus duplicate commands are the things of the kind made possible repeatedly [ of macro 
virus ]. For example, a command "MacroCopy" copies a broad view, and when the broad view is 
polluting, it copies all from all harmful command, i.e., transmission, origin to an address. 
Commands other than the above, such as a command "Organizer.copy", also make macro virus 
reproduction easy. Please understand that various alternative commands can make macro virus 
reproduction easy. 

After position specification of the macroinstruction from an object file is carried out, it is 
changed into a binary code for analysis, as the desirable method 500 of macro position 
specification and decryption was described. A characteristic binary code corresponds also to a 
suspicion command. For example, a macro virus enabling-ized command 

"ifdlg.format^thendlg.format^l" has a specific correspondence binary code like macro virus 
duplicate commands "MacroCopy." Therefore, the comparison data (615) obtained from the virus 
information module 308 specifies the 1 st and 2nd commands in the broad view from an object file 
by it, including respectively the characteristic portion of the binary code for the 1st and 2nd 
commands, or a binary code. 

It was judged with a characteristic binary-code portion corresponding to some suspicion 
commands by this invention. For example, the binary string "73 CB 00 0C 6C 01 
00" (hexadecimal notation) corresponds to the command portion ".format=1" found out during 
some macro virus enabling-ized commands. For example, the above-mentioned command 
"ifdlg.format=0thendlg.format=1 ", "ifbewaardlg.format=0thenbewoordlg.format=1 ; and 
FileSaveAs.Format=1", And the binary string "73 CB 00 0C 6C 01 00" contains a binary string 
"FileSaveAs.Name=Filename$0, .Format=1." Therefore, this invention is this 73 CB 00. 0C6C01 
Specific strings, such as 00, are used as an identifier for detection of a suspicion 
macroinstruction different mutually [ plurality ]. 

It is preferred to include the command identifier of some groups in the comparison data in the 
virus information module 308. Various combination of a suspicion command is detectable by use 
of these command identifier group. Various macro virus enabling-ized commands and macro virus 
duplicate commands are discriminable using each class of these command identifier. A command 
identifier is not restricted to a macro virus enabling-ized command and macro virus duplicate 
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commands. For example, it is usable in the command to which reinitialization is made to carry out 
without attestation and a command to a computer hard disk device, i.e., the command which 
changes system construction so that reinitialization without a notice to a user may be made 
possible, as suspicion command combination. 

Reference of drawing 9 has shown the data table including the good example of the command 
identifier accumulated in the virus information module 308. This good example data table 900 
contains the line 902 corresponding to a command identifier different mutually [ some ]. The text 
and the correspondence hexadecimal notation 905 of the sequence and command identifier ID 
number 904 which identify the group of the command identifier 903, and the command identifier 
binary code are also included in this table. Although it is preferred to include two command 
identifiers in each class of a command identifier, an additional command identifier may be 
included in one group. A macro virus judging can be performed based on two or the detection of 
the other identifier minor group of the three command identifiers. The data table 900 is only 
illustration. Accumulation of the comparison data to the virus information module 308 can be 
performed by various techniques. 

Reference of the flow chart of drawing 6 will judge whether after obtaining the command 
identifier of a lot with the macro virus scanning module 304 in Step 615, a decrypted broad view 
is scanned, and it includes suspicion instruction set doubling [ which the command identifier 
identified ]. In Step 620, a decrypted broad view is scanned using the 1st command identifier. For 
example, string 73CB 00 corresponding to [ scan a decrypted broad view (620) and ] the 1st 
command identifier in the 1st group of the command identifier 900 0C6C01 It is judged whether 
00 exists or not. A state machine, i.e., the state machine which scan a decrypted broad view and 
judges the above-mentioned string s existence, performs the scan in Step 620. In Step 625, it is 
judged whether the 1st suspicion command identifier exists in a decrypted broad view. When it 
judges with there being no command corresponding to this 1st command identifier, according to 
this command identifier group, it judges that broad view's un-polluting at (625) and Step 645, and 
this macro virus scan method 600 is ended. 

When it judges with there being a command identifier of the above 1st in Step 625, a decrypted 
broad view is scanned at Step 630, and the existence of the 2nd command identifier is judged. 
When it judges with this broad view containing the 2nd suspicion command identifier at Step 635, 
the decrypted broad view is indicated by a flag at Step 640 with the contamination broad view by 
the strange virus corresponding to that command identifier group. Decrypted macro correlation 
****** is accumulated in the command identifier group led to strange virus detection at the data 
buffer 312, and other modules, such as the macro treatment module 306, enable it to deal with a 
contamination broad view as they thinks best. 

When it judges with having no 2nd suspicion command identifier at Step 635, the macro virus 
scanning module 304 judges with having no strange virus the inside of decryption macroscopic 
according to a command identifier group at Step 645, and the macro virus scan method 600 is 
ended. This judgment in Step 635 is performed about the single group of a command identifier. 
Groups other than the above of a command identifier compare a decryption broad view 
repetitively, and enable the judgment of a strange virus. The existence of the 1st common 
command identifier can be judged before search of the 2nd various alternative command 
identifier. 

Reference of the flow chart of drawing 7 has shown the suitable contamination macroscopic 
treating method 700. 

In Step 705, it is judged whether the strange virus decision flag was checked and the macro virus 
scanning module 304 detected a known virus in the decrypted broad view. A known virus 
decision flag is supplied to the macro treatment module 306 306 in the data buffer 312, i.e., the 
module which relates a decrypted broad view with the virus information used for detection of a 
known virus. A known virus is removed from a decrypted broad view using this virus information 
at Step 715. Removal of the virus from a broad view is performed by replacing a virus by non- 
polluting commands (no-op etc.). Since a virus is known, it is selectively removable so that a 
macroscopic normal part may remain as it is. After virus removing, the broad view taken a 
measure is checked in Step 735, and the absolutely perfect nature is verified. When it judges 
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with finishing treatment macroscopic absolutely perfect nature being maintained, it indicates to it 
being effective by a flag with the macro treatment module 306 at Step 745 at the broad view 
taken a measure. With the macroscopic validity associated data, the broad view taken a measure 
is accumulated in the data buffer 312, and is maintained at the state. 

When judged with the above-mentioned absolutely perfect nature not being maintained in Step 
740, in Step 750, the broad view taken a measure is indicated by a flag with invalidity, and 
pertinent information is similarly accumulated in the data buffer 312. 

It returns to drawing 7 , and when there was no known virus in a decrypted broad view and the 
macro treatment module 306 judges, it deals with a broad view so that a strange virus may be 
removed selectively. The group of the command identifier used for detection of the strange virus 
in a decrypted broad view can be used for the macro treatment module 306 in the data buffer 
312. 

The group of this command identifier contains the 1st and 2nd suspicion command identifiers. 
The 1st suspicion command identifier is used for each position specification of the suspicion 
command corresponding to the identifier at Step 720. Although position specification of the 
above-mentioned command is carried out using the technique which was related with detection 
of the command which the macro virus scanning module 304 uses, and was explained, a 
decrypted broad view can be scanned. When a command identifier corresponds with the fragment 
of the command instead of the whole command, each of the fragment in which the macro 
treatment module 306 was detected is related with the whole command. This correlation is 
influenced by the macroscopic program declinable word word to be used. The conventional 
technique can be used for this correlation. An additional suspicion command identifier is used for 
detection of a suspicion command of correspondence at Step 725. Next, the suspicion command 
which carried out position specification is replaced at Step 730. It is preferred to replace a 
suspicion command by non-polluting command as well as a known virus strings substitution. 
Macroscopic absolutely perfect nature is verified, it indicates by a flag at the broad view taken a 
measure according to the existence of absolutely perfect nature maintenance, and the macro 
treating method 700 is ended. 

Reference of drawing 8 has shown the desirable correcting method 800 by this invention. The file 
correction module 310 accesses information, including the object file etc. from which signal 
transfer was carried out to the data buffer 312 and the various modules 302, 304, 306, 308, and 
310, and the detected macro virus and contamination macroscopic content were detected. The 
object file of macro virus content is accumulated in the data buffer 312 at Step 805. It is 
preferred to access an object file in the original position and to copy to the data buffer 312 with 
the contamination broad view. Next, a corrective action is performed by whether the file 
correction module 310 replaces the broad view in an object file by the broad view taken a 
measure, or the alternative correction technique is used. A macro validity flag is checked at Step 
810, and the finishing treatment macroscopic absolutely perfect nature corresponding to an 
object file is judged. When it is displayed that the broad view taken a measure is effective, the 
file correction module 310 replaces the contamination broad view in an object file on the broad 
view taken a measure. In Step 810, position specification of the contamination broad view is 
carried out in an object file. This operation is performed using the information shared resource 
(OLE) of the operating system 202. In Step 820, exploitation of an information shared resource 
removes the broad view which carried out position specification from an object file, and the 
version of an object file without [ the ] a broad view is accumulated in the data buffer 312. In 
Step 825, the broad view which the macro treatment module 306 generated taken a measure is 
added to the version of an object file without [ the ] a broad view, and a corrected file is 
generated. This corrected file is used for putting in instead of an object file in the original 
position in Step 830. The object file from the start can also be directly replaced by a corrected 
file. The object file of correspondence can be eliminated or overwritten and a corrected file can 
be accumulated in arbitrary positions. 

As for this broad view taken a measure, when it returns to Step 810, the broad view 
corresponding to an object file taken a measure is indicated by a flag with invalidity, and not 
using for the substitution of a contamination broad view is preferred. That is, in Step 835, a file 
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correction module performs a substitute corrective action according to a user's configuration 
setting out. The correction process of substitution, such as performing removal of the 
contamination file from an object file without substitution, or eliminating a target file, in which a 
user is told about the correction process of various substitution, i.e., an object file, including a 
virus will be recognized. 

Although this invention has been explained above with reference to specific working example, it 

will be recognized by the person skilled in the art that various modification is possible. For 

example, although the series of access, position specification, decryption, detection, and 

correction has been explained about various modules, when detecting a strange virus in macro, it 

will be understood that various processes can be incorporated into the usual module which 

exhibits an equivalent function. It reaches, this invention provides the modification and change of 

those other than these, and, as for the scope of this invention, above-mentioned working 

example is limited [ these ] by only attachment Claim. 

A block diagram ( drawing 1 -3) and a flow chart ( drawing 4 -8) 

The correspondence translation of **** component part ( drawing 1 ) 

102 Display 104 central processing unit (CPU) 

106 Storage device 108 input-device 110 data-accumulation device 112 communication unit 
( drawing 2 ) 

202 Operating system 204 application-program 206 Macro virus detecting module ( drawing 3 ) 
206 macro virus detecting module 302 macro-position specification and the decryption module 
304 macro-virus scanning module 306 — macro treatment module 308 virus-information module 
310 file-correction module 312 data buffer ( drawing 4 ) 

420 500 which accesses a file 440 which carries out position specification of the broad view from 
a file, and decrypts it Those with a broad view? 

600 a broad view is scanned about a virus — 460 virus detection was carried out? 

700 800 which deals with a contamination broad view A corrective action is performed to a 

contamination file ( drawing 5 ). 

505 510 which judges a file type Template file? 

515 Those with 520 embedding files which investigate a file so that the existence of embedding 
macroscopic content may be judged? 

525 530 which carries out position specification of the broad view in a file 535 which decrypts a 
broad view for a scan 540 which accumulates a decrypted broad view in a buffer It judges with 
having no macro permanent residence into a file ( drawing 6 ). 
605 610 scanned about a known virus — those [ ? ] with a known virus 

615 625 which scans a broad view using the 1st command identifier from 620 comparison data 
that incorporates the comparison data for strange virus specific Those [ 1st ] with a suspicion 
command? 

630 635 which scans a broad view using the 2nd command identifier from comparison data Those 
[ 2nd ] with a suspicion command? 

640 645 which indicates by a flag by the strange virus corresponding to this command identifier 
group at contamination and a broad view — indicate by a flag macroscopically with those with 
contamination by the 650 known virus judge that has no macroscopic contamination by this 
command identifier group ( drawing 7 ) 

705 710 which checks a known virus decision flag Those with a known virus? 
715 A known virus. 720 removed from a broad view — each suspicion command corresponding 
to the 1st command identifier. 730 which carries out position specification of each suspicion 
command corresponding to the command identifier of the 725 addition which carries out position 
specification 735 which replaces each specified suspicion command with a non-polluting 
command 740 which verifies finishing treatment macroscopic absolutely perfect nature 
Absolutely perfect nature is maintained? 

745 750 which indicates the broad view taken a measure to it being effective by a flag The broad 
view taken a measure is indicated by a flag with invalidity ( drawing 8 ). 

805 810 which accumulates an object file in a data buffer Those with a macro validity flag 
display? 
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815 825 which removes a broad view from the 820 object files which carry out position 
specification of the broad view in an object file, and accumulates the duplicate of a macro-less 
file The 830 object files which add the broad view taken a measure to the file removed [ macro ] 
are replaced by a corrected file. 

[Translation done.] 
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* NOTICES * 

JPO and INPIT are not responsible for any 
damages caused by the use of this translation. 

1. This document has been translated by computer. So the translation may not reflect the original 
precisely. 

2. **** shows the word which can not be translated. 
3.1n the drawings, any words are not translated. 
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[Translation done.] 
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